George's $0.02. In the area of running boxes inside a network (LAN) that has a firewall protecting them from the bad Internet, I am at odds with some corporations, who shall remain nameless. I feel every box on the network should be able to stand on its own without the firewall (at least for a few hours). This provides redundancy - if the main firewall fails or is compromised, you have one more layer of protection. Look at it like a bank - do you think they use just one lock to keep the bad guys out? Yes, I practice what I preach - my workstation runs a firewall just as strong as my dedicated hardware firewall. That way, if I goober up the hardware firewall, I'm not left naked with my arse hanging out. So running ipchains on an internal box is not a bad thing - just make sure you know why you are doing it. George Paranoid at Large Craig White wrote: > > Assuming that this is a single NIC on a server on the internal lan and > you have no idea what you want a firewall to be doing on this computer > anyway...why don't you just turn it off? > > service ipchains off > > chkconfig --levels 2345 ipchains off > > Otherwise, > /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d > $EXTIP 10000 > > replace port & variables as necessary but I have to tell you that what > you have in place for ipchains is pretty minimal and you shouldn't feel > as though anything is secure on that system because you have an ipchains > firewall running on it. > > Craig > > On Tue, 2002-06-25 at 17:49, alandd@mindspring.com wrote: > > OK, this is looking like a firewall (ie. ipchains) setting issue. I will have > > to go learn how to do ipchains, and without a GUI since I didn't put it on > > this box! > > > > The output of "ipchains -L" gives: > > > > Chain input (policy ACCEPT): > > target prot opt source destination ports > > ACCEPT udp ------ 192.168.200.1 anywhere domain -> > > 1025:65535 > > ACCEPT tcp -y---- anywhere anywhere any -> > > http > > ACCEPT tcp -y---- anywhere anywhere any -> > > ssh > > ACCEPT udp ------ anywhere anywhere > > bootps:bootpc -> bootps:bootpc > > ACCEPT udp ------ anywhere anywhere > > bootps:bootpc -> bootps:bootpc > > ACCEPT all ------ anywhere anywhere n/a > > REJECT tcp -y---- anywhere anywhere any -> > > any > > REJECT udp ------ anywhere anywhere any -> > > any > > Chain forward (policy ACCEPT): > > Chain output (policy ACCEPT): > > > > What line to I need to allow Webmin miniserv.pl to listen for https > > connections on eth0? Where do I put said line? > > > > Mean while, I'll go read the manuals... > > > > Alan > > > > ________________________________________________ > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > ________________________________________________ > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss